Important Questions and Answers concerning the Audit Trail Review - Part 2

In part one of this news you alreaday received the first set of questions and answers from the webinar on Audit Trail Review conducted back in February. Following you can read what further questions were asked and what Dr. Wolfgang Schumacher responded subsequently as time during the webinar did not allow to answer all of them.

28. How do you justify the reintegration of chromatograms versus the method specification in the audit trail?Answer: A reintegration should only be necessary if the analysis wasn't carried out for one reason or another. The reason has to be specified and must be signed by the management. The laboratory employee is not allowed to take the decision himself.

29. What is important for machine manufacturers in the area of audit trails especially as concerns the continuous production? What has to be taken into consideration? What must be included?Answer: This question is difficult to answer as concerns a machine manufacturer since the answer depends on the product manufactured with the equipment (for instance a critical, highly effective product or a non toxic excipient). The pharmaceutical producer must carry out the risk analysis.

30. Page 7: How has data to be classified that concerns products which are manufactured from blood components and that is part of the donation process (donor management)? I consider them as critical data with influence on SQuiPP. Answer: Just the way I see it.

31. Audit trail review only for critical data: Does this mean that it has to be carried out only for systems with data which influence the product directly? And not for systems which only have an indirect influence?Answer: You decide this by yourself by means of the risk analysis. No audit trail review is required for a training system for example.

32. How do you decide which data require the 4-eyes-principle? Can this be decided by means of a classification of "direct" versus "indirect" influence? Answer: Yes, this is the first approach, together with the criticality of the system.

33. Page 35: This means that in the course of the periodic reviews it is only reviewed whether the process is still functioning - hence, if the audit trail data is still recorded? This means no selection = random sampling of data sets?Answer: A review by means of examples of data should also be part of the control of functionality (SYSTEM Audit Trail). This means that random sampling is useful.

34. Page 44: Why are only global systems in the scope? Usually the most critical systems in production and QC exist on local basis.Answer: This was only supposed to be an example. Naturally, local systems are as important as global ones.

35. How or where (guidance document) is it advisable to define raw data?Answer: (Unfortunately) there is no uniform definition. This means you are flexible to define this for your company.

36. When are the final FDA, MHRA etc Guidances to be expected? Answer: It is doubtful whether the MHRA Guidance will be applicable at all, in light of the Brexit. The FDA Guidance is to be expected by the end of 2017 at the earliest, but it is more likely that it will be 2018.

37. When parts of data are printed it becomes static data. But the audit trail review has to be carried out for all critical and electronically produced data in the system. It is not possible to refer to the printed version!? Answer: Static data is data the user cannot change. It is only important if the user had the possibility to change the data PRIOR to the data being printed. I do not think that a reference to the paper record will be accepted.

38. How do you assess the situation for API manufacturers? Answer: You have to decide yourself whether you produce critical APIs. If so, I see no chance to renounce to the audit trail review in the long run. But it won't have the same priority as in the case of a manufacturer of a finished medicinal product.

39. Can the review of a printout of the drying temperature profile be considered to be part of the audit trail review of the batch?Answer: In my opinion this is a good example for static data for which no audit trail review has to be carried out. The reason is that the user cannot change or access this data.

40. Is analytical data (raw data, metadata) from the validation of analytical procedures classified as being non critical? Do we interpret your slide number 3 "What other data is there?" correctly? In this case the audit trail review would not be required.Answer: The validation of analytical procedures precedes the daily analyses for the batch release and constitutes the basis for them. The validation data is released with a report. The audit trail review is not required.

41. Static data - dynamic data: a. May we define entries in our CDS such as standard concentrations, densities, dilution factors, ..., hence parameters used for the quantification of content and purity as static data? Or are these entries also part of the dynamic data such as the (re)integration of peaks?Answer: In my opinion this is also dynamic data the user can influence or change.

42. Static data - dynamic data:b. Is it possible to shorten the audit trail review by taking the status of the analytical sequence and controlling the recorded parameters (such as concentration of the standards, ...) at the end of the analysis and by stating that all changes and corrections carried out in the meantime are part of the analysis and evaluation and must consequently not be commented?Answer: In my view this is acceptable as long as a control is carried out and confirmed by a second person.

43. Is it acceptable that a user has the entitlement for reintegration at a GC system or should the laboratory manager be the only person authorised to do this? Are there any relevant requirements or recommendations?Answer: This should be regulated internally in an SOP. Preference should be given to the laboratory manager since he has a control function. I know nothing about any requirements concerning this.

44. It was mentioned in the seminar that the audit trail review is part of the Periodic Review. What other points are included in the Periodic Review? Answer:

Roles and Responsibilities

Service Agreements

Validation/Qualification and Project Deliverables:

System Control Procedures

Audit Trail management

Incidents, Problems

Changes, Upgrades

Security, User Access, User Administration

User Guides

Backup, BCP, Performance, Reliability Monitoring

System Access Training

Archived Data

45. In Annex 11 as well as in other guidelines is required the "regular" revision of the audit trail. But is it really defined in any guideline that this has to be performed prior to the release of the product? Answer: This is implied in Annex 11: The authors (inspectors) cite this again and again as explanation since this is the most critical data of all.

46. Or is this rather the case since "regularly" is interpreted in this way by now? I understand that one may reach this conclusion after a risk assessment. But it could also be different, couldn't it? Answer: Your own analysis of the critical data may well reach another conclusion. The own result defines the procedure.

47. If I have implemented a role concept for example and trained all staff members thoroughly as concerns the topic DI won't it then be sufficient to carry out a review of the audit trail on a random basis and to carry out the review prior to the batch release only in the case of irregularities such as OOS results? Answer: It is acceptable to carry out a review on the basis of the system's "exception" reports. These exception reports always must be checked anyway. It is not acceptable to carry out a review only on a random basis (but ultimaltey, this is defined by the risk analysis).

48. Which measures may be taken if the audit trail (as well as the actual data) can be deleted or changed at the level of Windows?Answer: In the case of systems that can store locally on the HD of the user it is possible to set up two local user profiles. Then, for instance, the system stores data only on the profile the user cannot access.

49. Is it possible at all to have analytical data in the manufacture of active pharmaceutical ingredients that must be classified as GxP critical (= direct influence on the quality/integrity of the product) if it is known that the API and the finished product will be reviewed again in the subsequent manufacture of finished products? Or is this irrelevant and if so, why?Answer: If you reach the conclusion in the risk assessment that none of the APIs are critical a complete exclusion from the audit trail review would be conceivable. But this will hardly be accepted in practice as there are highly potent small molecules and very critical biotechnological active pharmaceutical ingredients.

50. Or, to pose the question in another way: Do you think it is conceivable that in the course of the release process of the analytical results no audit trail review is carried out with one of the CDS systems used for the manufacture of APIs? If no, which analysis (raw material, final product, proof of identity of the API, IPC, proof of efficacy) would always have to be classified as being critical? Answer: I recommend to carry out an audit trail review for the critical APIs at least. The analysis of the final product surely is the most important one, since here the tests will be comprehensive.

51. When assessing the criticality of data the influence of the data on the data integrity is mentioned as one criterion apart from the influence on the product quality. There seems to be a direct influence on the integrity of data almost always. How can this criterion be further substantiated in order to be able to use it in a differentiated way? Answer: This is like going round in circles. The quality of the product always is of the highest importance. The criterion "data integrity" by itself is not meaningful but has to be specified by attributes such as "access security", "duration of storage until destruction" etc.

52. I would like to know what you think about the relevance of the audit trail and the audit trail review for an eDMS which also generates, stores and manages TMF documents (eTMF) (with Approval Workflows)?Answer: It is important for an eTMF that no changes can be carried out. I think that an audit trail review is out of the question since the data already has the form of a report. The access security to the eTMF itself is an important element in order to ensure that no data can be "changed" after the first submission.

53. The second question points in the same direction but concerns an eDMS in which GMP documents are stored and versioned by means of Approval Workflows with e-signature (such as CMC documents: specifications, laboratory methods or batch records: product master manufacturing record; or also validation documents)Answer: The audit trail review is senseless for an eDMS as the persons signing a document read it prior to signing. During the validation of a system it is checked that no data can be "changed" (version control).

We would like to thank Dr Schumacher for taking the time to answer all questions comprehensively.